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DETAILED ACTION 

1 . This a Final Office Action in response to the applicant's communication filed on May 09, 
2007. 

2. Claims 1-24 have been examined. 

3. Claims 1-24 are pending. 

Response to Arguments 

4. Applicant's arguments filed on May 09, 2007 have been fully considered but they are not 
persuasive. 

The applicant argues that on page 8: paragraph 2, 3, 4: "Moran does not disclose upon 

identifying a mismatch in compared digital signatures, issuing an instruction to record an entry in 

< 

a log file located, in a log file located in a second remote database, said entry identifying a 
possible intrusion in a host, as recited in claim 1, 10, 15." 

The examiner disagrees with the above applicant's argument because Moran discloses in 
column 223: lines 35-46: "In an embodiment of the invention, the system collects data related to 
logins with multiple sensors, such as: a) the Directory-Tree Scanner that collects information 
from the directories and from the i-nodes b) the sensor for the password file (and shadow 
password file if it exists) c) sensors for each of the logfile formats: i) cron and at logs ii) lastlog 
iii) sulog iv) syslog v) utmp/wtmp;" and Column 23: lines 53-65: "The analysis engine may 
use the pathnames for the active log files (the ones receiving new records) as a starting point for 
deducing which files are rolled down copies of these log files. Deducing the roll-down pattern(s) 
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from the database of filenames (from the Directory-Tree Scanner sensor) is the preferred 
approach." 

The applicant argues that on page 9: paragraph 3, 4:"Further, neither Moran, nor Trostle, 
disclose or suggest a method issuing a commend to an operating system of a host to bring the 
host to a single user state upon identifying the mismatch in compared digital signature, as recited 
in claim 3." 

The examiner disagrees with the above applicant's argument because Trostle discloses 
column 6: lines 29-42: "If the server determines that the proof is invalid, the server increments 
an intruder detection counter in step 96. In step 98 the server compares the value of the counter 

« 

with a predetermined maximum value to prevent logins by the user (step 100) if there have been 
a number of unsuccessful attempts to enter the correct password. If a valid proof is transmitted to 
the server, network access is granted in step 102 (note the proof will only be valid if the user 
entered the correct password). In step 100, the NIC may be disabled to prevent subsequent 
workstation/server communication, while still allowing the workstation to operate as a public 
object (i.e., as a stand alone workstation). Alternatively, the workstation may be completely 
disabled, for example, by not loading the operating system from the server. 

The applicant argues that on page 9: paragraph 3, 4: "Moran, nor Trestle, disclose or 
suggest first and second remote databases located on a single server, or a plurality of servers 
belonging to a local area network, the first remote database storing digital signature and the 
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second remote database in which an entry is recorded identifying a possible intrusion in the host/ 
as recited in claim 4." 

The examiner disagrees with the above applicant's argument because Moran discloses 
and provides this in figure it in figures 2 and 3. 

Therefore the applicant's argument is not persuasive to overcome Moran to place independent 
claims 1, 10 and 15 in condition for allowance for the above given reason. The applicant's 
argument is not also persuasive to overcome dependant claims 2-9, 11-14 and 16-24 depending 
directly or indirectly from their corresponding independent claims over Moran in view of Trostle 
for the above given reasons. 

Claim Rejections -35 USC §102 

5. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in a patent granted on an application for patent by another filed in the 
United States before the invention thereof by the applicant for patent, or on an international application by 
another who has fulfilled the requirements of paragraphs (1), (2), and (4) of section 371(c) of this title 
before the invention thereof by the applicant for patent. 

* 

k 

6. Claims 1, 10 andl5 are rejected under 35 U.S.C. 102(e) as being anticipated by Moran 
(US Pat. No.: 6, 647, 400). 

As per claim 1 : " 
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Moran discloses an method for detecting intrusion in a host via a monitoring daemon 
operating in conjunction with a configuration file defining data entities to be monitored, the 
method comprising: 

(a) . monitoring data entities via comparing a locally stored copy of a digital signature 
associated with each data entity against a corresponding digital signature stored in a first 
remote database (column 4: lines 1-15; figure 9: compute signature of a file; Does 
signature match the previously computed signature for file; Abstract; column 4: lines 17- 
23; column 32: lines 49-59); and 

(b) . upon identifying a mismatch in compared digital signatures, issuing an instruction 
to record an entry in a log file located in a second remote database, said entry identifying 
a possible intrusion in a host (column 32: lines 6-22; column 32: lines 49-59; column 33: 

w 

lines 36-41). 

As per claim 10: 

Moran discloses a system to detect intrusion comprising: 

a host running a monitoring daemon working in conjunction with a configuration file, 
said configuration file identifying files and directories to be monitored in said host and 
said host communicating with external networks via one or more network interfaces, said 
monitoring daemon dynamically monitoring said files and directories identified by said 
configuration file by comparing a locally stored digital signature corresponding to each 
file or directory against a remotely stored corresponding digital signature (column 4: lines 
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1-15; figure 9: compute signature of a file; Does signature match the previously 
computed signature for file); 

a digital signature database remote from said host storing said digital signatures 
associated with files and directories identified by said configuration file (Abstract; 
column 4: lines 17-23; column 32: lines 49-59); and 

a log database remote from said host recording entries corresponding to mismatches 
between a digital signature stored in said host and a corresponding digital signature in 
said digital signature database (column 32: lines 6-22; column 32: lines 49-59; column 
33: lines 36-41). 

As per claim 15: 

Moran discloses an article of manufacture comprising a computer usable medium having 
computer readable program code embedded therein to detect intrusion in a host via a monitoring 
daemon operating in conjunction with a configuration file defining data entities to be monitored, 
said medium comprising: 

computer readable program code comprising executable instructions to monitor data 
entities via comparing a locally stored copy of a digital signature associated with each 
data entity against a corresponding digital signature stored in a first remote database 
(column 4: lines 1-15; figure 9: compute signature of a file; Does signature match the 
previously computed signature for file; Abstract; column 4: lines 17-23; column 32: lines 
49-59); 
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* 

computer readable program code comprising executable instructions to issue an 
instruction to record an entry in a log file located in a second remote database upon 
identifying a mismatch in compared digital signature, said entry identifying a possible 
intrusion in said host (column 32: lines 6-22; column 32: lines 49-59; column 33: lines 
36-41). 

Claim Rejections - 35 USC §103 

7. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth 
in section 102 of this title, if the differences between the subject matter sought to be patented and the prior 
art are such that the subject matter as a whole would have been obvious at the time the invention was made 
to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be 
negatived by the manner in which the invention was made. 

8. Claims 2-9, 11-14 and 16-24 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Moran (US Pat. No.: 6, 647, 400) in view of Trostle (US Pat. No.: 5, 919, 257). 

* 

* 

As per claim 2: 

Moran does not explicitly disclose issuing a command to bring down said one or more 
network interfaces to isolate and host upon identifying the mismatch in compared digital 
signatures. Trostle, in analogous art, however, discloses issuing a command to bring down said 
one or more network interfaces to isolate and host upon identifying the mismatch in compared 
digital signatures (figure 4: 78-96; figure 5: 100; column 6: lines 30-42). 

Therefore, it would have been obvious to a person having ordinary skill in the art at the 
time the invention was made to modify the system disclosed by Moran to include issuing a 
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command to bring down said one or more network interfaces to isolate and host upon identifying 
the mismatch in compared digital signatures. This modification would have been obvious 
because a person having ordinary skill in the art would have been motivated to do so to provide a 
trusted technique for detecting illicit changes to executable programs (e.g., a "Trojan horse" 
appended to an executable program by a computer hacker) as suggested by Trostle in (column 3 : 
lines 19-28). 

As per claim 3: 

Trostle discloses issuing a command to an operating system of the host to bring said host 
to a single user state upon identifying the mismatch in compared digital signatures (figure 4: 78- 
96; figure 5: 100; column 6: lines 30-42). 

As per claim 4: 

Trostle discloses said first remote database and said second remote database are located 
on a single server or a plurality of servers belonging to a local area network (column 3: lines; 54- 
65figure 1: 12). 

As per claim 5: 

Trostle discloses communications between said host and first remote database are 
encrypted (column 5: lines 50-63; figure 5: 88). 

As per claim 6: 
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Trostle discloses communications between said host and second remote database are 
encrypted (column 5: lines 50-63; figure 5: 88). 

As per claim 7: 

Moran discloses said digital signature is an MD5 signature and said first remote database 
is an MD5 database (column 3 1 : lines 46-55). 

As per claim 8: 

Moran discloses said second remote database is a SYSLOG database (column 24: lines 

47-64). 

i 

As per claim 9: 

Moran discloses said data entities comprises one or more system files, configuration files, 
or directories (column 4: lines 5-35). 

As per claim 11: 

Moran discloses a system to detect intrusion, wherein said digital signature database and 
said log database are located on a single server or a plurality of servers belonging to a local area 
network (figure 3: 306, 308, 304). 

As per claim 12: 
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Trostle discloses a system to detect intrusion, wherein communications between said host 
and said digital signature database are encrypted (column 5: lines 50-63; figure 5: 88). 

As per claim 13: 

Trostlediscloses a system to detect intrusion, wherein communications between said host 
and log database are encrypted (column 5: lines 50-63; figure 5: 88). 

As per claim 14: 

Moran discloses a system to detect intrusion, wherein said digital signature is an MD5 
signature and said first remote database is an MD5 database (column 31: lines 46-55). 

As per claim 16: 

Trostle discloses an article of manufacture, further comprising computer readable 
program code comprising executable instructions to issue a command to bring down one or more 
network interfaces to isolate said host upon identifying the mismatch in compared digital 
signatures (figure 4: 78-96; figure. 5: 100; column 6: lines 30-42). 

As per claim 17: 

Trostle discloses an article of manufacture, the step of issue a command to an operating 
system of said host to bring said host to a single user state upon identifying the mismatch in 
compared digital signatures (figure 4: 78-96; figure 5: 100; column 6: lines 30-42). 
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As per claim 18: 

. Moran discloses an intrusion detection and isolation method implemented using a 
monitoring daemon in a host, said host having one or more network interfaces to communicate 
over one or more networks, said method comprising: 

a. reading a configuration file to identify data entities to be monitored on a host 
(column 4: lines 1-15); 

b. for each data 1 entity to be monitored, extracting a digital signature from said host 
(figure 9: compute signature of a file); 

c. for each data entity to be monitored, querying a remote digital signature database 
via said one or more network interfaces and requesting a digital signature corresponding 
to said digital signature extracted from said host (figure 9: Does signature match the 

* 

previously computed signature for file); 

d. for each data entity to be monitored, receiving said corresponding digital 
signature from said remote digital signature database (figure 3: 308, 306, 304, 312); 

e. matching digital signature received from said remote digital signature database 
with digital signature extracted at said host (Abstract; column 4: lines 17-23; column 32: 
lines 49-59); 

f. upon identifying a mismatch, transmitting an instruction to a remote log database 
via said one or more network interfaces, said instruction executed in said remote log 
database to record an entry in a log file indicating a possible intrusion in said host 
(column 32: lines 6-22; column 32: lines 49-59; column 33: lines 36-41). 
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Moran does not explicitly disclose performing at least one of, the following issuing a 
command to bring down said one or more network interfaces to isolate said host; issuing a 

» 

command to an operating system of host to bring said host to a single user state. Trostle, in 
analogous art, however, discloses performing at least one of, the following issuing a command to 
bring down said one or more network interfaces to isolate said host; issuing a command to an 
operating system of host to bring said host to a single user state (figure 4: 78-96; figure 5: 100; 
column 6: lines 30-42). 

Therefore, it would have been obvious to a person having ordinary skill in the art at the 
time the invention was made to modify the system disclosed by Moran to include performing at 
least one of, the following issuing a command to bring down said one or more network interfaces 
to isolate said host; issuing a command to an operating system of host to bring said host to a 
single user state. This modification would have been obvious because a person having ordinary 
skill in the art would have been motivated to do so to provide a trusted technique for detecting 
illicit changes to executable programs (e.g., a "Trojan horse" appended to an executable program 

* 

by a computer hacker) as suggested by Trostle in (column 3: lines 19-28). 
As per claim 19: 

Trostle discloses an intrusion detection and isolation method implemented using a 
monitoring daemon in a host, wherein said digital signature database and said log database are 
located on a single server or a plurality of servers belonging to a local area network (column 3: 
lines; 54-65figure 1: 12). 
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As per claim 20: 

Trostle discloses an intrusion detection and isolation method implemented using a 
monitoring daemon in a host, wherein communications between said host and digital signature 
database are encrypted (column 5: lines 50-63; figure 5: 88). 

As per claim 21: 

Trostle discloses an intrusion detection and isolation method implemented using a 
monitoring daemon in a host, wherein communications between said host and log database are 
encrypted (column 5: lines 50-63; figure 5: 88). 

As per claim 22: 

» 

Moran discloses an intrusion detection and isolation method implemented using a 
monitoring daemon in a host, wherein said digital signature database is an MD5 database 
(column 31: lines 46-55). 

As per claim 23: 

Moran discloses an intrusion detection and isolation method implemented using a 
monitoring daemon in a host, wherein said log database is a SYSLOG database (column 24: lines 
47-64). 

As per claim 24: 
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Moran discloses an intrusion detection and isolation method implemented using a 
monitoring daemon in a host, wherein said data entities are any of the following: system files, 
configuration files, or directories (column 4: lines 5-35). 

Conclusion 

9. The prior art made of record and not relied upon is considered pertinent to applicant's 
disclosure. 

See the notice of reference cited in form PTO-892 for additional prior art. 

10. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 

■ 

policy as set forth in 37 CFR 1 . 1 36(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the mailing 
date of this final action. 
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Contact Information 

11. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Techane J. Gergiso whose telephone number is (571) 272-3784 



If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, 

■ 

Emmanuel Moise can be reached on (571) 272-3865. The fax phone number for the organization 
where this application or proceeding is assigned is 571-273-8300. 

k 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 
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